Hilton Told to Pay Up After Mishandling Data Breaches

Hilton Hotels has been hit with a $700,000 fine in the United States, in the wake of two separate credit card data breaches.

The point-of-sale attacks, which were discovered by the hotel giant in 2014 and 2015, saw more than 363,000 payment cards impacted—but according to state investigators in the US, customer notifications weren’t sent until November 2015, more than nine months after the first breach and more than three months after the second.

In the first instance, the PoS malware had been detected as being active between November 18 and December 5, 2014, during which time hackers may have accessed cardholder names, payment card numbers, security codes and expiration dates. In the second incident, the same type of PoS code was active between April 21 and July 27, 2015, when an intrusion detection system alerted Hilton that malware was communicating with a C&C server.

When the hotelier finally admitted that the incidents occurred, it was two months after independent security researcher Brian Krebs reported that hackers may have compromised registers in gift shops and restaurants at a “large number” of Hilton properties.

Because of the notification gap—during which time hackers could be making fraudulent purchases unbeknownst to victims—and an array of inadequate security measures, the penalty has been imposed. The monies will be split between the states of New York and Vermont.

As part of the settlement, Hilton committed to disclosing any future breaches in a more timely manner, and said that it would beef up its ongoing security and intrusion detection efforts.

"Hilton is strongly committed to protecting our customers' payment card information and maintaining the integrity of our systems," the company said in a statement.